Authors: @Youngjoon Lee @Daniel Sanchez Quiros

Introduction

We have several areas where keys are required for distinct purposes, such as signing, verification, and encryption. We need a unified and secure approach to managing keys and performing key operations to address this. This will ensure consistent usage across all components in our Rust implementation of the Nomos node.

This note is a summary of the call between @Daniel Sanchez Quiros and @Youngjoon Lee had on 2024-12-20.

Design Option: Key Management Service

This is one of the potential approaches for implementing a unified key management system. It is designed as an Overwatch service, allowing other Overwatch services in the Nomos node to access it. (Centralized key management service)

Key Registration

• Keys are zeroed

• Keys are loaded from the configuration and given statically typed ID

  • In the future maybe keys are generated from a single secret
    • e.g. HD (Hierarchical Deterministic) Key Derivation

• Services ask for registering a key

  // request
  Register {
  	key_scheme: KeyScheme
  }
  
  // response
  Register {
  	key_id: KeyId
  }
  

Key Operations

• Request public key:

  // request 
  GetPublicKey {
    key_id: KeyId
  }
  // response
  GetPublicKey {
    public_key: Bytes
  }
  

• Request signing:

  // request 
  Sign {
  	key_id: KeyId,
  	data: Bytes
  }
  // response
  Signed {
    signature: Bytes
  }
  

• Execute an arbitrary operation over private key:

  // request
  Execute {
  	key_id: KeyId,
  	method: impl FnMut(&mut SK),
  }